"Is our site secure?"

That is never a question you want to hear when launching a new website. And it is also an impossible question to answer. The technical definition of security is "the state of being free from danger or injury"; but you can never protect anything perfectly all the time. So the question should be, "Is our site secure enough?"

And it is never a question that should be asked at launch time. Security must be part of the planning, part of the programming, part of the testing, part of the deployment process and, finally, part of the monitoring and upkeep of a site. It should be part of every stage of development, however, "security at every level" doesn't have to cost extra time or money, and in fact it shouldn't. If "site security" means millions of dollars or weeks of extra work, then the problem lies with the website development process and its creators. When you start treating security as a "feature" instead of a necessary part of your development process, it becomes a resource eating monster.

Far too many IT professionals, managers and others involved in creating new sites view security as a last-minute feature in the push to "get it out fast." In fact, generally the argument for not attending to it is: "We can't waste time or money on security features; we have to get this site launched!"

You won't have a site, or a business, for long if someone manages to retrieve your entire database of personal information or credit cards. Like most things in life, a balancing act is required. Defining what security is exactly, and what it means for a site is always the hard part. What does "security" mean in a website or a web application? It means being defensive.

"Defensive driving" is a term thrown at every student in drivers training. It means to drive as if every other person on the road were an idiot trying to hit you, because the majority of them are less-than-fantastic drivers and being aware of the danger is half of the solution.

Any developer working on a website should be thinking in the same manner: Every user is an idiot trying to break the site. However, the reaction to that constant danger should be equal to the needs of the website. When driving on a sunny, dry road in broad daylight, a driver can be far less diligent than when driving on a wet road, in a blizzard or in the dark. The conditions of the road are going to affect stopping distance, maneuverability and the ability to avoid hazards. The amount of diligence needed for a website should be equally tailored to environmental conditions. An e-commerce site has far different needs than a social networking site, or a fan site for an author or artist.

Having a plan--from the beginning--for the important issues with the site is a necessary first step. Implementing the plan as part of your general process shouldn't be the end of the line, however. The other critical piece of the puzzle is ongoing maintenance. Sites and audiences change, and those changes will mean new challenges. Proper monitoring and maintenance of a site is part of the process of security.

Knowing a site's operating environment and type of users will help to define what security measures are needed up front, eliminating the problems inherent with trying to "bolt on" security after the fact. Even a general overview of what kind of information a site is going to collect and distribute is enough to have an idea of what kind of audience that site will attract. It is far easier to leave room for future security enhancements than to try to plug holes in an existing system.

So take the time to sit down before you start creating the site and answer some of the following questions. Record the answers in a document and put it with your code so you can refer back to the answers.

  1. What kind of data am I going to be collecting and storing?
    1. Basic Information (Names and email addresses)
    2. Personal Information (Phone numbers, physical addresses)
    3. Asset Information (Credit Card numbers, bank information)
    4. Identifying information (SS#, Drivers license numbers)
    5. Business Information
    6. Medical Information
  2. What kind of physical system am I going to be using and who has access? This includes backups.
  3. What kind of software am I going to be using and how will it be maintained?
  4. What kind of ongoing system will be put in place to maintain the system and data?

These questions will give you an excellent idea of how much concern for security your site will warrant. The higher the level of information collected, the greater security you'll need. The less control you have over the physical systems in place, the more diligent your security measures need to be. The less control you have over the software in place, the more security measures you may need to put in place. If you have little budget for ongoing monitoring, you'll need to invest more in automating more security measures up front.

Remember that no matter what kind of site you are creating, the basics can never be ignored.

  1. Keep your software up to date with security fixes
  2. Validate all input
  3. Escape all output
  4. If you're dealing with something sensitive - use SSL for logins (the industry is showing signs of adopting SSL for everything).
  5. Use sftp or scp or at the very least ftps for transferring files from your server
  6. Regenerate a user's session when access permissions change
  7. Validation should always be done server side, even if you have javascript checks

If security becomes part of your state of mind at every step along the way, instead of a last-minute, add-on feature, you'll never have to answer the question "is our site secure?" because you'll always be aware that it is secure enough.